Busting the myths about cyber hacks: “It won’t happen to me”

The recent headlines about drug firms and research groups being targeted by state sponsored hackers highlights the very real cyber threats to which we’re all exposed, particularly pharmaceutical and R&D organisations.

How significant are the dangers, and what can be done to protect networks and the critical data that resides on them? What role can cyber insurance play in mitigating these risks?

According to the BBC, the hackers used malware called WellMess and WellMails to access the vaccine data. This was accompanied by targeted email “Phishing” attacks which are designed to trick unsuspecting researchers into handing over information helpful to the hackers.

Such attacks can result in theft, or even destruction of, critical data, and researchers may be locked-out of their computer networks, unable to access the information they need to perform their work. Additionally, many modern laboratories use equipment that can be controlled remotely over a network, so hackers who are able to take control of networks could theoretically impair those experiments, rendering any results unreliable and setting back vital research.

The implications on the urgent international effort to find a Coronavirus vaccine are obvious.

Happily in this instance, it seems that network security controls performed well, with the BBC reporting that vaccine research had not been hindered by these assaults. But given the nature of such hacks, it may be some time before the true extent of any damage becomes clear.

The insurance industry, and expert brokers like Partners&, have a vital role to play.

The London insurance market has pioneered the development and evolution of cyber insurance, which is designed to protect organisations against the financial, legal and technical challenges that accompany hacking attacks of this nature.

How does this form of insurance operate and what benefit could it be to pharma and R&D companies?

A cyber insurance policy primarily acts as a breach response service, with the pharma or R&D policyholder being connected with a dedicated breach manager who will triage their cyber event, consult on the most effective way of responding to the attack, and then manage the technical response – with all costs being directly billed to the insurer.

This involves the appointment of an expert IT forensics team to support the organisation in identifying the cause of the intrusion, and correcting the network breach. Should the organisation not have insurance, this is often a very expensive cost for them to carry themselves. Identifying the expertise required and negotiating a rate for the work is not something most organisations will have time for immediately following an attack.

Insurers and their panel of specialist service providers can help in other ways:

  • Public Relations advisers, helping the organisation to deal with press enquiries;
  • Lawyers, to represent the organisation if it’s sued for data breach, or investigated by a regulator like the Information Commissioner;
  • Notification costs, where the insurer picks up the considerable cost of notifying any third parties whose data has been breach (often legally mandated);
  • Repair & recovery, insurers picking up the cost of replacing or repairing networks or recovery data affected by the intrusion;
  • Revenue interruption, where insurers pay for any impact to organisation’s bottom-line

But it’s not all plain sailing.

There’s no standardisation in cyber insurance. Terminology is complex and different insurers offer varying levels and scope of protection.

Some insurers have sought to deny cyber claims involving state-sponsored hackers on the basis that such actions constitute a form of cyber warfare between nation states. They’ve argued that the “War” exclusion, commonly appearing in insurance policies, excuses them from paying.

Other insurers have refuted claims on the basis that they’re unwilling to provide coverage for Terrorist activity – arguing that some cyber attacks are performed by known terrorist groups.

Simply identifying and mitigating vulnerabilities in an organisation’s network can be technically challenging.

So it pays to work with an insurance adviser who really understands this space, can provide support in identifying risks, and has the granular knowledge of the marketplace.

Partners& works only with cyber insurers who have committed to pay cyber claims, regardless of whether they were perpetrated by criminal organisations, terrorist gangs or nation states.

We can also help organisations to understand what their specific network vulnerabilities are, by analysing their network and RAG-rating the potential vulnerabilities in a plain-English report.

This then informs the tailored insurance solutions that we build, with insurers who not only provide the broadest coverage available, but who provide added-value with pre-breach risk management tools and post-breach support.

Matthew Clark

Partner - Business Development, Science & Technology